Page 1
U S E R G U I D E FortiOS v3.0 MR7 SSL VPN User Guide www.fortinet.com...
Page 2
FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Page 4
Web portal home page features ... 66 Launching web portal applications ... 68 URL re-writing... 68 Adding a bookmark to the My Bookmarks list ... 69 Starting a session from the Tools area ... 80 Contents FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 5
Contents Tunnel-mode features ... 80 Working with the ActiveX/Java Platform plug-in ... 81 Uninstalling the ActiveX/Java Platform plugin ... 83 Logging out ... 83 Index... 85 FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Introduction Introduction This section introduces you to FortiGate™ Secure Sockets Layer (SSL) VPN technology and provides supplementary information about Fortinet™ publications. The following topics are included in this section: • About FortiGate SSL VPN • About this document • FortiGate documentation •...
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Introduction “Configuring a FortiGate describes the two modes of operation, FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Document names File content Menu commands Program output Variables FortiGate documentation The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com. The following • FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit.
• FortiGate VLANs and VDOMs User Guide Describes how to configure VLANs and VDOMS in both NAT/Route and Transparent mode. Includes detailed examples. Additional information about Fortinet products is available from the following related documentation. • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.
Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.
SSL and IPSec VPN tunnels may operate simultaneously on the same FortiGate unit. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Comparison of SSL and IPSec VPN technology...
SSL supports sign-on to a web portal front-end, from which a number of different enterprise applications may be accessed. The Fortinet implementation enables you to assign a specific port for the web portal and to customize the login page if desired.
The feature comprises an SSL daemon running on the FortiGate unit, and a web portal, which provides users with access to network services and resources including HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 SSL VPN modes of operation “Web-only mode”...
SSL VPN tunnel mode can also be initiated from a standalone application on Windows/MacOS, and Unix. Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
IP address range or network that remote clients will be able to access behind the FortiGate unit. For example, networks, Subnet_1 and Subnet_2. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Figure 1 shows a FortiGate gateway (FortiGate_1) to two private...
If the remote clients need tunnel-mode access, see requirements” on page Configuring a FortiGate SSL VPN Remote client Internet wan1 FortiGate_1 internal 192.168.22.1 Subnet_2 192.168.22.0/24 “Configuring firewall “Web-only mode client “Tunnel-mode client FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
SSL VPN Virtual Desktop should be used. (Windows XP only). FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 “Configuring SSL VPN settings” on page FortiGate Certificate Management User “Configuring user accounts and SSL VPN user...
To download and run the SSL VPN Virtual Desktop application Go to the Fortinet Technologies home page at select Support. Under Support, enter your user name and password. This takes you to the Fortinet customer support site. Select Firmware Images and then FortiGate. Configuring a FortiGate SSL VPN http://support.fortinet.com/ FortiOS v3.0 MR7 SSL VPN User Guide...
Page 21
Configuring a FortiGate SSL VPN The FortiGate index page opens. Select v3.0 and then MR7. This takes you to the page with firmware images for MR7. Select SSL VPN Clients. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Configuring the SSL VPN client...
Page 22
Figure 2: FortiClient SSL VPN InstallShield Wizard welcome screen To run the SSL VPN Virtual Desktop application, select Start > All Programs > FortiNet > SSL VPN Virtual Desktop > SSL VPN Virtual Desktop. The FortiGate unit may offer you a self-signed security certificate. If you are prompted to proceed, select Yes.
There are separate download files for each operating system. The most recent version of the SSL VPN standalone client applications can be found at: http://support.fortinet.com/ FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Tunnel-mode client requirements for the specific Configuring the SSL VPN client...
Page 24
Under Support, enter your user name and password. This takes you to the Fortinet customer support site. Select Firmware Images and then FortiGate. Figure 3: Firmware Images selection on Fortinet customer support site The FortiGate index page opens. Figure 4: FortiGate index page Select v3.0 and then MR7.
Page 25
This takes you to the page with firmware images for MR7. Select SSL VPN Clients. To download the SSL VPN Windows client application, select FortiClientSSLVPNSetup_3.0.384.exe or FortiClientSSLVPN_3.0_384.msi and follow the InstallShield Wizard instructions. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Configuring the SSL VPN client...
Page 26
Configuring the SSL VPN client To use the SSL VPN standalone tunnel client (Windows) Go to Start > All Programs > Fortinet > FortiClient SSL VPN > FortiClient SSL VPN. Server Address Enter the IP address of the server you need to access.
Page 27
Go to the Fortinet Technologies home page at select Support. Under Support, enter your user name and password. This takes you to the Fortinet customer support site. Select Firmware Images and then FortiGate. The FortiGate index page opens. Select v3.0 and then MR7.
Page 28
Type your password and select Enter. The License Agreement dialog appears in the command line terminal window. Accept the License Agreement, and select Enter. Configuring a FortiGate SSL VPN you will have to set up system FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 29
The FortiClient SSL VPN tunnel client (Linux) opens. After this initial setup is complete, a user with a normal (non-administrator) account can establish a SSL VPN tunnel session. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Configuring the SSL VPN client...
Page 30
Select to save the value in User and Password for future logins. and password Keep connection Select to have the connection stay up until you log out. alive until manually stopped Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 31
Go to the Fortinet Technologies home page at select Support. Under Support, enter your user name and password. This takes you to the Fortinet customer support site. Select Firmware Images and then FortiGate. The FortiGate index page opens. FortiOS v3.0 MR7 SSL VPN User Guide...
Page 32
The application installs the program ‘forticlientsslvpn’ in the Applications folder Unmount the disk image by selecting the disk image file ‘forticlientsslvpn_macos_3.0.nnn.dmg’ and dragging it into the Trash (nnn refers to the build number). Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 33
In the Applications folder, select ‘forticlientsslvpn’ and drag it into the Trash. After you empty the Trash folder, the installed program is removed from the user computer. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Configuring the SSL VPN client...
VPN > SSL > Config and select Enable SSL-VPN. The FortiGate unit does not accept web-only mode or tunnel-mode connections while SSL VPN operation is disabled. Configuring a FortiGate SSL VPN Guide. FortiGate Administration Guide FortiGate “Customizing the web portal login page” FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 35
Require Client Certificate Encryption Key Algorithm Specifying the cipher suite for SSL FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Select to enable SSL VPN connections. Specify the range of IP addresses reserved for tunnel- mode SSL VPN clients. Type the starting and ending address that defines the range of reserved IP addresses.
(for example, 10.254.254.0/24). Configuring a FortiGate SSL VPN Setting the idle timeout Adding a page. Adding WINS and DNS services for clients. “Specifying an IP address range Guide. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Go to VPN > SSL > Config. In the Idle Timeout field, type an integer value. The valid range is from 10 to 28800 seconds. Select Apply. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Configuring SSL VPN settings FortiGate Certificate Management User...
To display a custom popup window for a user group Go to User > User Group. Configuring a FortiGate SSL VPN 42). A FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
FortiGate user group definitions, which can optionally use established authentication mechanisms such as RADIUS and LDAP to authenticate remote clients. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 (see “Changing the authentication login page” in the “System Config”...
Page 40
Select RADIUS to authenticate this user using a password stored on a RADIUS server. Select the RADIUS server from the drop-down list. Select OK. Repeat this procedure for each remote user. Configuring a FortiGate SSL VPN FortiGate Administration Guide. FortiGate Certificate User_1) FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 41
Note: If a user has been configured to use tunnel-mode only, when they log in, the tunnel is brought up automatically. The split tunneling feature is not activated by default, it must be selected. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Configuring user accounts and SSL VPN user groups...
Page 42
Table 1 lists the products supported for clients who have Windows XP SP2. All other systems must have Norton (Symantec) AntiVirus or McAfee VirusScan software installed and enabled. Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
IP address of the intended recipient or network. In general, configuring a firewall policy involves: • specifying the IP source and destination addresses FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Product Configuring firewall policies Firewall VPN >...
IP packets may be delivered (for example, Subnet_1). From the Type list, select Subnet/IP Range. In the Subnet/IP Range field, type the corresponding IP address and subnet mask (for example, 172.16.10.0/24). Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 45
Create additional IP destination addresses and firewall policies if required for each additional user group. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Interface/Zone Select the FortiGate interface that accepts connections from remote users.
Go to Firewall > Address and select Create New. In the Address Name field, type a name that represents the IP address that is permitted to set up SSL VPN connection. Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 47
Source Destination Service Action SSL Client Certificate Restrictive FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Interface/Zone Select the FortiGate interface that accepts connections from remote users (for example, external). Address Name Select the name that corresponds to the IP address of the remote user.
FortiGate CLI If the options are concealed, select the blue arrow beside each option to reveal and configure associated settings. Configuring a FortiGate SSL VPN 46) and FortiGate Log Message Reference. Reference. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Begin Time Description When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host (see FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Guide. The identifier of the connection.
Monitoring active SSL VPN sessions • Configuring SSL VPN bookmarks and bookmark groups • Viewing the SSL VPN bookmark list FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Configuring SSL VPN bookmarks and bookmark groups Bookmarks list. service from the drop-down list: •...
Configuring SSL VPN bookmark groups Go to VPN > SSL > Bookmark Group and select Create New to create a group of selected bookmarks. Figure 11: Create New Bookmark Group Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
SSL VPN users in the selected SSL VPN user group. Figure 12: Assigning a bookmark group to a user FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Configuring SSL VPN bookmarks and bookmark groups Type the name of the bookmark group.
10.1.1.1 set sslvpn-tunnel-endip 10.1.1.10 set sslvpn-webapp enable set sslvpn-os-check enable config sslvpn-os-check-list "windows-2000" set action check-up-to-date set latest-patch-level 3 Configuring a FortiGate SSL VPN ) and above permission to access SSL FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
(with the user as a member) is assigned a dedicated IP range (with no overlap) and therefore can have different access permissions. Figure 13: SSL VPN configuration for unique access permissions FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Granting unique access permissions for SSL VPN tunnel user groups set tolerance 1 config sslvpn-os-check-list "windows-xp"...
After you create the users, you must create the SSL VPN user groups. In order to configure each user with different access permissions, you must create separate user groups and designate specific IP ranges for each group. Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Go to Firewall > Address to create the source and destination addresses to specify in the firewall policies. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Granting unique access permissions for SSL VPN tunnel user groups...
Page 58
The policy for user1 is an SSL-VPN firewall policy that includes the applicable source and destination addresses, and has group1 as the user group attached to the policy. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 59
Figure 20: user2 firewall policy To view the SSL VPN policies, go to Firewall > Policy. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Granting unique access permissions for SSL VPN tunnel user groups...
If you are configuring Internet access through an SSL VPN tunnel, the following configuration must be added: • ssl.root > External, with the action set to Accept, with NAT enabled Configuring a FortiGate SSL VPN Configuring FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 61
Destination address Action NAT enabled Protection profile To allow SSL-tunnel users to access a policy-based VPN peer network: Peer network policy Source Source address FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 wan1 internal internal subnet sslvpn ssl user group(s) ssl.root...
Use following commands in CLI to resolve the issue: config vpn ssl settings set route-source-interface enable Note: This CLI command is only available in FortiOS 3.00 MR4 and higher. Configuring a FortiGate SSL VPN FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 63
Configuring a FortiGate SSL VPN SSL VPN dropping connections FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. You can ignore the message. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Connecting to the FortiGate unit...
The FortiGate unit will redirect your web browser to the FortiGate SSL VPN Remote Access Web Portal home page automatically. The FortiGate SSL VPN Remote Access Web Portal home page is displayed after you log in. Working with the web portal FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 67
My Bookmarks If your user account permits tunnel-mode connections, you can install/uninstall Fortinet SSL VPN client software and/or initiate an SSL VPN tunnel with the FortiGate unit. Selecting the Activate SSL-VPN Tunnel Mode link at the top of the home page displays the Fortinet SSL VPN Client area.
For example, in the case of the URL http://test.org/index.html, the FortiGate unit would translate to the following: https://<sslvpn_host:port>/proxy/http/Z<encrypted hex value>/index.html Working with the web portal “Starting a session from the Tools area”. “Adding a bookmark area”). FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Details Delete and Edit icons Delete or edit an entry in the list. Figure 24: New Bookmark dialog box FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Create a hyperlink. The names of links to remote server applications and network services.
Page 70
In the URL field, type the URL of the web server (for example, http://www.mywebexample.com or https://172.20.120.101). Select OK. To connect to the web server, select the hyperlink that you created. Working with the web portal FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 71
A telnet session starts and you are prompted to log in to the remote host. You must have a user account to log in. After you log in, you may enter any series of valid telnet commands at the system prompt. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Launching web portal applications...
Page 72
When you are prompted to log in to the remote host, type your user name and password. You must have a user account on the remote host to log in. Select Login. Working with the web portal FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 73
From the Application Type list, select SMB/CIFS. In the Shared File Folder field, type the IP address of the SMB host and the root directory associated with your account (for example, //10.10.10.10/share/). FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Launching web portal applications...
Page 74
When the current directory is a subdirectory, you can select Up to switch to the parent directory. To end the SMB/CIFS session, select Logout. Working with the web portal New Directory Logout Delete Rename FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 75
When you are prompted to log in to the remote host, type your user name and password. You must have a user account on the remote host to log in. Select OK. To end the VNC session, select Disconnect. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Launching web portal applications...
Page 76
In the Title field, type a name to represent the connection. From the Application Type list, select RDP. In the Shared File Folder field, type the IP address of the RDP host (for example, 10.10.10.10). Select OK. Working with the web portal FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 77
When you are prompted to log in to the remote host, type your user name and password. You must have a user account on the remote host to log in. Select Login. To end the RDP session, select Logout. FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Launching web portal applications...
Page 78
A second message may be displayed to inform you of a host name mismatch. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. Select Yes to proceed. Select Connect. Working with the web portal FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...
Page 79
• Logging out • Adding a bookmark to the My Bookmarks list • URL re-writing • Working with the ActiveX/Java Platform plug-in • Uninstalling the ActiveX/Java Platform plugin FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 Launching web portal applications...
The FortiGate SSL VPN Remote Access Web Portal page is displayed after you log in. Selecting the Activate SSL-VPN Tunnel Mode link at the top of the home page displays the Fortinet SSL VPN Client area. If your user account permits tunnel-mode connections, you can install/uninstall SSL VPN client software and/or initiate an SSL VPN tunnel with the FortiGate unit.
VPN tunnel with the FortiGate unit. Controls for downloading and installing the ActiveX/Java Platform plug-ins are displayed in the Fortinet SSL VPN Client area of the web portal. You only have to install the ActiveX/Java Platform plug-ins once. Afterward, you can use the SSL VPN client software to initiate a VPN tunnel with the FortiGate unit whenever you access the web portal.
Page 82
At the top of the web portal home page, select the Activate SSL-VPN Tunnel Mode link. The FortiGate unit may prompt you to install a Fortinet SSL VPN Client plugin. Follow the instructions provided to install ActiveX or Java Platform.
Select Connect. Figure 26: Tunnel established After the “Fortinet SSL VPN client connected to server” message is displayed and the Disconnect button is enabled (see Figure 26), you have direct access to the network behind the FortiGate unit, subject to the conditions of the FortiGate firewall policy.
Page 84
Logging out Working with the web portal FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718...